* All placeholder strings. Used for defense-in-depth: if a varScope value * contains ANY placeholder (exact or embedded), the value is NOT a pure * literal and cannot be trusted as a bare argument. Covers composites like * `VAR="prefix$(cmd)"` → `"prefix__CMDSUB_OUTPUT__"` — the substring check
(value: string)
| 92 | * `VAR=__TRACKED_VAR__ && rm $VAR` — treated as non-literal (conservative). |
| 93 | */ |
| 94 | function containsAnyPlaceholder(value: string): boolean { |
| 95 | return value.includes(CMDSUB_PLACEHOLDER) || value.includes(VAR_PLACEHOLDER) |
| 96 | } |
| 97 | |
| 98 | /** |
| 99 | * Unquoted $VAR in bash undergoes word-splitting (on $IFS: space/tab/NL) |
no outgoing calls
no test coverage detected